How I Almost Missed the Point at Astrix...

Sometimes age is not your friend when you want to keep an open mind. I really felt like being involved with system accounts, service accounts, PIM & PAM, and all the ancestors of NHI meant that I understood what Astrix was all about. When they first asked me to come on as an advisor in 2024, I thought it was pretty natural that they would want someone who had “been there, done that” to help out. Well, I didn’t know what I didn’t know. It’s only by joining and now being a month into the day to day with the team and customers that I’m seeing the real story behind what Astrix does. But I almost missed the whole thing because I thought I knew better. Maybe I can save you some time and tell you what I’ve learned.?

First, it’s not like the experience you may have from doing PIM/PAM (Privileged Identity Management & Privileged Account Management) is unrelated. If you know about the challenges and solutions involved with getting service accounts, secrets, and related beasts into vaults, controlling their lifecycles and rotations, and ensuring good hygiene for the governance over who (and what) can use them, then you’ve got a lot of the right ideas. Oddly, what you have is related to the start and ends of the Astrix story but is missing some of the critical stuff from the middle of the story. The PIM/PAM ideas come out of the world of identity (from IAM if you want to be picky). The Astrix secret is mixing in a whole set of security concepts.?

It’s right in the tagline. Astrix says it’s “Non-Human Identity Security.” It’s easy to skip over that word “security” there, but it’s crucial. A key question you can ask yourself is: how would you go about prioritizing your non-human identity assets? A very IAM centric view may think about how they are connected to people, their roles in applications, and other similar concepts. And that stuff is important. But if you refined the question to ask: “how would you choose which NHIs you need to take action to lock down right now?” - that should change the focus. Astrix looks at the NHI world through a lens of risk. That risk is determined in part by examining the posture of the NHIs (which does involve their connectivity to humans and apps in part). Then the activity of the NHIs is mapped in as well. The outcome is a very clear ranking of which NHIs deserve attention now.?

Why is prioritization so important now? We’re being overrun by NHIs. Digital transformation gave us a huge increase in NHIs as people move to an all devops all the time posture. Orchestration and automation run on API keys, tokens, and other assets that give them access to all the systems and data they use. And everyone’s favorite buzzword, AI, is about to supercharge that. Before you stop reading because I said AI, let me give you some real world numbers! The Stanford University 2024 AI Index report highlights 72% of organizations use AI in at least one function, up from 50% in prior years. Most covered use it in multiple functions. GitHub AI projects are up to 1.8M in 2023 which is up from only 845 since the first one appeared in 2011 - with a 59.3% spike in 2023 alone. AI project stars tripled from 4M in 2022 to 12.2M in 2023. And here’s the thing: any AI system that touches an API, accesses real data, or even calls LLMs is going to use NHIs for their access.

The numbers are staggering, and they’re the reason there needs to be a new approach. We can no longer treat NHIs as a “poor cousin” of human identity where we do the same things we have done just with different targets. There needs to be a whole new model to handle this incredible scale. When faced with these numbers, you have to make sure you focus efforts where things are the most crucial. Using the security aspects of the Astrix solution gives you exactly that ability to see the forest for the trees. In the end, the IAM solutions come back in and you’re going to do workflows to assign and get attestations from owners. You’re going to use all the PIM & PAM rotations, revocations, and other tricks. But now you’re going to focus those efforts where they are needed so as the NHI numbers grow you’re keeping up with what’s critical. And you’re doing it at the same pace as the NHIs are continuing to grow. I know I missed all this when I first looked at what Astrix was up to. Now you don’t have to.?